A stricter regime for profiling07 June 2016
Is EU Privacy Law Enforcement About to Become a Team Effort?
So European DPAs could be forgiven for thinking that they have become a focal point of reference for the functioning of the current and forthcoming EU data protection regime. This has been reinforced even more by the importance given to the one-stop-shop (OSS) debate within the Council of the EU. OSS was originally presented as one of the fundamental pillars of the future Data Protection Regulation. If EU data protection harmonisation was the top priority of the EU Commission’s policy, OSS was regarded as an essential tool to achieve that objective. The notion of one single DPA taking exclusive responsibility for supervising compliance with the law for all data activities undertaken by a controller throughout the EU was not only an ambitious one, but a bold statement about the ideal regulation of privacy in a harmonised Europe.
But the Council always adds a dose of sobriety to the Commission's idealistic thinking and this matter is no exception. The debate within the Council and indeed amongst the EU legislative institutions is far from over, but the latest stance of the Council on this issue after two and half years of debate is quite telling. The documentation prepared by the Greek Presidency of the Council at the end of May 2014 summarises the position rather neatly. Long gone is the Commission's concept of exclusive competence, which has been replaced by the Council – as was by the EU Parliament in March – by the 'lead authority' model. Under the Council's latest position, the lead authority must always avoid going solo and will need to involve other concerned authorities in its decision-making process.
There are several building blocks to the Council's view of OSS. The overall principle is that a lead authority must seek the cooperation of other DPAs when individuals in various Member States are affected by the use of their personal data by the same controller. In fact, OSS does not even apply where a controller or processor is established in more than one Member State, which could make OSS rather useless given the broad interpretation of a local establishment adopted by the ECJ. In any event, where individuals in more than one Member State are affected by data-related operations, the DPAs of all of those Member States must have a say in any enforcement decision.
In addition, any authority in a Member State where an individual has lodged a complaint about the use of their data can in turn prepare a draft enforcement decision and run it past the lead authority, reversing the OSS process altogether. The bottom line is that the DPAs of the countries where individuals whose data is being processed by the same controller reside must be consulted by the lead authority. If following that consultation, a DPA raises any objections to whatever proposal is being made by the lead authority, the matter must then be dealt with by the whole European Data Protection Board (EDPB) under the so-called consistency mechanism. It is of course impossible to know how frequently the consistency mechanism will be invoked but what is clear is that the EDPB, as the successor to the WP29, is likely to end up acting as an EU-wide super-regulator. Ironically, this may have been what the Commission intended in the first place, but the effectiveness of such a system would rely on the DPAs' ability to act as a well-coordinated, closely aligned and highly efficient team.
This article was first published in Data Protection Law & Policy in June 2014.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016